Date: Mon, 22 Jan 2018 19:42:23 -0800
From: Tristan Henning <tristan@...tomcrypto.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: How to deal with reporters who don't want
their bugs fixed?
I don't know if you've all seen this, but, this is definitely how not to
run a bug bounty.
http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf
And the /r/netsec discussion from reddit
https://www.reddit.com/r/netsec/comments/7dc275/bug_bounty_hunter_walks_away_on_30k_bounty_from/
TL;DR
A researcher found major infrastructure issues and after clarification
of scope managed to compromise a very large part of DJI along with large
amounts of PII. DJI sicked legal on him and he was forced to walk from a
$30,000 bug bounty.
This document and story received a large amount of traction in the
"hacking" community. How many bug hunters will be reporting issues to
DJI in the future? My guess, not a lot...
-Tristan
On 1/22/2018 11:41 AM, Ian Zimmerman wrote:
> On 2018-01-22 17:20, Mikhail Utin wrote:
>
>>> Keeping it individual without public announced maximum embargo time
>>> would also help prevent folks from jumping to 0daying everything per
>>> default:)
>> However, to me it is pure "Security by Obscurity" in a bit different
>> wording. It never worked. Simply think that somebody else knows the
>> secret and with your help continues using that.
> I think you misunderstand the parent post.
>
> Nobody is proposing that the embargo period for any _particular_ issue
> be secret. The proposal in the parent post was to not have a public
> general embargo policy for _all_ issues present & future.
>